Spammers Use Bing to Bypass Filters, Spam Bad Links

Word came down from our Threat Research team this morning about a new spam campaign that uses upstart Bing search engine’s own redirection mechanism to bypass spam filters and send undesirable links over email. On top of that, the spammers are also abusing MySpace’s lnk.ms link shrinking system to further obfuscate the destination that the spammed link points to.

When you view an RSS feed in Bing (such as their news feed, for example) all the clickable links in the feed use Bing’s internal redirection mechanism, so before you end up on the news story you want to read, your browser first connects to http://www.bing.com/news/rssclick.aspx?redir= followed by the full URL of the site you intend to visit.

The thing is, anyone can plug anything into the end of that URL, and it’ll redirect to that site. For instance, you could come back to the front page of this blog. Of course, there’s nothing in place to prevent a criminal from redirecting users to something worse, like a drive-by download or phishing page. But in this case, recipients who click the link end up bounced through MySpace’s link shrinker, and finally into a site selling a “work at home making money from Google” pyramid scheme.

The spam message shown above eventually led us to a page that looks like a news site, with a story headlined “Is working online at home the next gold rush?” The scam page uses IP address geolocation to insert the US state you’re browsing from into the “masthead” of this “newspaper,” which promises visitors they can “earn up to $978 a day*” by doing, uh, something that has to do with Google. They’re pretty vague about exactly what you’ll be working on from home (or, in their words, “from HOME”).

Apparently, once you get going, the money literally appears out of thin air in front of your laptop’s LCD display. Man, a laptop that vomits cash money like that sure would be sweet. I wish I could qualify for an amazing opportunity like that.

Note the asterisk: The fine print informs users that Google has nothing to do with this scam, and “Your level of success in attaining the results claimed in our materials depends on the time you devote to the program, ideas and techniques mentioned, your finances, knowledge and various skills.”

The big question is, should you trust Bing redirection links you receive in email? Personally, I don’t think anyone should be clicking any links received in email messages, but that kind of advice is hard for some people to swallow. So, for now, I’ll just say that you should remain suspicious of all email that includes a link, especially if it looks like that link is designed to take you somewhere other than the Web address that follows the http:// prefix; and if an email with a link in it doesn’t pass the smell test, trust your instincts and don’t follow it.

Trackbacks

[…] Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine’s own redirection mechanism and a link-shrinking technique to send people to spam Web pages, according to a post on the Webroot threat blog. […]

[…] by Google. Redirection scripts aren’t typically left wide open. In fact, when I reported a similar campaign that was exploiting an open redirect in Bing to Microsoft, to their credit, they shut down the redirect the same day. That was two years […]